The Associated Press Twitter account (@AP) was recently hacked resulting in the following Tweet:
This single Tweet caused a brief $136 Billion crash in the stock market and eventually led to the suspension of the @AP Twitter account along with several other Associated Press Twitter accounts.
How the AP Twitter Account Was Hacked
The AP has confirmed the attack was a result of a simple phishing attack. Various employees of the Associated Press received the following email:
From: Associated Press Technology
Tue 4/23/2013 12:29 PM
All Staff –
Some users are receiving emails that appear to have a link to a Reuters or Washington Post news story. This email is a phishing attempt that takes users to a bogus site requesting you to log on. Users are advised not click to click on the link and not to enter their logon credentials. If you have already clicked on the link, or entered your logon credentials, please contact the help desk immediately.
The Associated Press
This is the phishing email:
Sent: Tue 4/23/2013 12:12 PM
From: [An AP staffer]
Please read the following article, it’s very important :
[A different AP staffer]
How does a Phishing Attack Work?
The phishing email seems innocent enough, just a link to a Washington Post article right? Not quite, the site likely displayed the article but then prompted the user to login. The prompted login request is a clear warning sign that something is not right.
We can conclude that at least one Associated Press employee ended up logging into a bogus site with the same password used for the @AP Twitter account.
The hackers were then able to login to the @AP account at Twitter.com with this password and send the bogus Tweet.
Sharing Twitter passwords with multiple employees increases the chances that one of them can fall victim to a similar phishing or other hacking scam.
How to Keep Your Organization’s Twitter Account Safe?
The big takeaway from this story is to stop sharing your Twitter password with your employees. The fewer people that know and use your Twitter password the better! As explained on Twitter’s site for newsrooms, “No matter how strong your password is, if someone else knows it, it’s no longer secure.”
Other Tips to keep your account safe:
- Use a secure password
- Use two-factor authentication when launched by Twitter
- Link your phone to Twitter. Allows you to regain control of your account
- Don’t login to your organization’s Twitter account over public Wi-Fi
- When logging into Twitter make sure the domain is Twitter.com
- Be very skeptical when an emailed link prompts you to login to Twitter
- If your account is compromised visit Twitter’s support page
You might be wondering, how can an organization like the Associated Press allow multiple contributors to help Tweet and manage their Twitter accounts without sharing the passwords with everybody?
Great question, the answer is GroupTweet!
GroupTweet allows multiple contributors to tweet from a single Twitter account safely and securely
There is no need to hand out your Twitter password to your employees. Keep your account passwords secure by using GroupTweet. Organizations that use GroupTweet get the best of both worlds. GroupTweet allows multiple journalists to Tweet from a company account without having to give out the password!
Better yet, its super easy for your contributors and employees. With GroupTweet, appproved contributors simply send Tweets from their personal Twitter accounts and include either a specific hashtag or @mention the company account. No need for contributors to login to a new dashboard or learn some new app.
GroupTweet is being used by News & Media organizations everywhere such as ESPN, FoxNews, ABC, CBS, NBC and others! GroupTweet not only helps you keep your passwords secure, but it also increases the efficiency and engagement of your Twitter accounts by allowing you to source content from your employees.
How are Others Using GroupTweet to Tweet Efficiently and Securely?
We thought you would never ask! To learn more about how other new & media organizations are using GroupTweet, check out this blog post.